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Intelligence Request 



Description 



INT-REQ-ID 


INT-REQ-451 


Background 


"Lizard Squad" is a group of hackers, responsible for DDoS attacks against: 

EA Games; 
Xbox Live; 

Sony Playstation Network; 
RockStar Games. 

"GOP" is a group of hackers, responsible for cyber attack against Sony. 

Analysis shows some linkage and correlation between "Lizard Squad" and 
so-called "GOP". The details in the report may help attribution and some 
IOA's may help defend future attacks. 


Priority 


High 


Target Date 


Report Immediately When Available 
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Adversary Profiles 



Lizard Squad 

Lizard Squad is a group of cybercriminals, having 8 key members - "dragon", "komodo", "ryan" 
(was arrested), "sp3c", "adbilo", "chameleon", "vagineer" or "vinnie" (was arrested), & 
"gecko". This group started to position themselves as Hacktivists, attacking big corporations, 
primarily gaming servers. There are also several other bad actors which appeared after the first 
cyber attacks of the group, such as "ice", "MLT", "algOd", "jordie" (was arrested), "teridax" and 
"lolaristocrat", who allegedly acted as one of the main operators on their IRC channel. 

The group has several technical leaders, as well as some ideological support, having no ties to 
cyber attacks or practical hacking. One of the first cyber attacks on behalf of the group was 
performed against the Sony Playstation Network, and several other corporations. Since these 
first attacks, the profile of the group has significantly changed. 

Some of their key members, such as "Abdilo" and "lolaristocrat" have become more 
independent, performing cyber attacks against military, government and private sector network 
resources without any clear motivation. There are several identified Twitter accounts with the 
hashtag #KimJongSec, created by the last bad actor for reasons unknown. The account promotes 
DDoS attacks against South Korea and their President's WEB-site. 

As of October 2014, "Abdilo" left Lizard Squad per his postings, but retained some relations 
with its key members. Later in December 2014, "Abdilo" also published several posts 
supporting North Korea, while continually showing aggression against the US and Australian 
Government. 

He also attacked one of the biggest nuclear energy companies in South Korea - Korea Hydro & 
Nuclear Power (KHPN) 12 , targeting their power plant infrastructure, where "non-critical" data 
seemed to have been stolen. Before the attacks against South Korea, "Abdilo" had compromised 
several government resources of the US and Australia Government. 



"abdilo" 

In one of the messages from Lizard Squad, a nickname of "Abdilo" appears: 



1 http://www.reutersxom/article/2014/12/22/us-southkorea-nuclear4dUSKBNQKQQ8E2Q141222 



2 http://www.reuters.com/article/2Q 14/12/3Q/nuclear-southkorea-cybersecuritv-idUSL3NQUEl A32Q 14 1 230 
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"Little thieves arc hanged, but great ones escape." 

We set out on our journey 2 weeks ago with the plan to cause havoc within the gaming community. 
Our motives varied throughout this adventure. Originally it was to sec if we could evade being 
caught and to experience the raw thrill of anarchy, not being bound to phony laws. We've been 
called everything from an organized criminal "gang" to complete assholes, really we arc just 
a bunch of guys with too much free time. Throughout our journey we met new people, gained new 
members, learned new things. People tried taking swings at us (and missed). We proved that even 
though we arc little in this very big world, that a small group of friends who work together can 
cause a lot of havoc without legal repercussions. Today we will be disbanding, behind the green 
reptiles and other bullshit, we have lives believe it or not, things to do, people to meet. 

Goodbye. 

- dragon 
- Komodo 

- ryan 

- sd3c 



- L name icon 
- Vaginccr 
-Gecko 

PS: chF was never apart of LizardSquad, just a friend. 



Pic.l - The key members of Lizard Squad. This list will change later, as some members will 
leave the group, and new Hacktivists join the group 



Using operatives and networked resources, discovery revealed that the domain name 
"lizardsquad.ru" was registered on the following e-mail - surivaton@gmail.com . 

Later, "Abdilo" explains, that he was the owner of this domain name, but after some time, left 
the group. 

/ joined back in august, messed around and I hosted lizardsquad.ru and lizardsquad.com. I never 
had control of the ddos botnet. Left lizardsquad back in October but still talk with the members. 
One of lizardsquad 1 s members used one of my domain accounts to register lizardpatrol.com(thus 
linking one of my old emails with lizardpatrol).(December 31 st , "Abdilo") 3 



3 http://pastebin.com/DvSf6dAK 
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LizardSquad 

@UZARDSQ 



Tweets Tweets & replies Photos & videos 



WE ARE LIZARD SQUAD WE ON YA 
MOTHERFUCKIN FOREHEAD darkode 
ire offline at the moment sorry for the 
inconvenience WE ARE BACK 



G3 LizardSquad retweeted 
MiSt@Mlstzy Nov 19 

FaZe Rain Setting Up FaZeRainExposed ( 
youtu.be/2Y0CsjBkBq4 via q YouTube 



FaZe_Rain: 



1 4 Photos and videos 




J2 LizardSquad retweeted 
p Mist @Mlstzy Nov 19 

I liked a a YouTube video from @imky1e youtu.be/2Y0CsjBkBq47a FaZe 
Rain Setting Up "FaZeRainExposed a FaZe_Rain 



Q LizardSquad retweeted 
U Mist @Mlstzy Nov 18 

They just made red to kick people nicely 



Pic.2 - One of the official domain names of Lizard Squad 



"abdilo " 


Lastname 


Crees 


Firstname 


David 


E-Mail 


surivaton @ gmail.com 


Accounts 


Facebook https://www.facebook.com/ ARMHF?fref=ts ("Root Toor"); 
GitHub https://github.com/surivaton ("David Crees" ); 
YouTube https://www.youtube.com/watch?v=M7TnYo7pnkA ; 
Google Plus https://plus.google.com/116092303179922520941/posts ; 
Reddit https://www.reddit.com/user/surivaton 


Location 


Gladstone, Queensland, Australia 
Calliope, Australia 


Skype 


Skype: "facebook: surivaton" 


Jabber 


abdilo @ exploit.im 
abdilo @ darkcode.com 


Nicknames 


Abdilo, Notavirus, Surivaton, Grey Hat Mafias Bitch 


Profiles 


Hackforums: 

http://webcache.googleusercontent.com/search?q=cache:BYOA0DBtiPAJ:www.h 


ackforums.net/showthread.php%3Ftid%3D4331 159%26page%3D15+&cd=18&hl 


=en&ct=clnk&gl=ru 
POwersurge.com: 

https://www.p0wersurge.com/forums/introductions/12879-hi/ 
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Exploit.in: 

https://exploit.in/forum/index.php?showuser=55603 


Comments 


Had agoraphobia during childhood 

WEB -applications hacking, Botnets Hacking 

AUtism is mentioned on one of his profiles 



Table 1 - "Abdilo" Profile 



Besides the identified Lizard Squad's domain name, there were other identified domain names 
registered by this bad actor in the past, using the same e-mail and details: 



FuckAnstralia.Ru FuckAustralia.Ru 

Auditing all of Australia's Government Websites and School Systems. Auditing all of Australia's Government Websites and School Systems. 

GOV.AU SITES VULN TO HEARTBLEED: GOV.AU SITES VULN TO HEARTBLEED: 




Abdilo.ru Fuckaustralia.ru 



Pic.3 - Domain names, owned by "Abdilo", had Jabber contact: fuckaustralia@exploit.im and 
information about vulnerabilities on Australian government WEB -resources 



In March 2014, the identified bad actor published information about SSL vulnerabilities 4 in 
Juniper devices, exposing vulnerable network resources: 



extranet.uphs.upenn.edu; 

vpn.stloiscountymn.gov; 

vpnl .broadcastaustralia.com.au; 

remote . compumenn . com. au ; 

rna.n.nsa.nexus.telstra.com.au. 



The same resources, which include "stolen lists from @playstation. sony.com", were traded on 
the black market by a bad actor, having the nickname "FAKBEN" 5 . 



4 http://www.div-13.com/view/7c5afed3 

5 http://i25c62nvu4cgeqyz.onion/profile.php?id=949Q 
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Index » Other Vendors - Heartbleed dump of telstra.com(Blg Australian ISP) 



logins, information, private details, cookies, ssl/vpn, $1200, ($1200 becai 
world has *v«r broken into Telstrt.com) 




http://kSzq47j6wd3wdv)q.onion/listjng/311S3 



Index - Other Vendors - New SSLVPN 15.5MB HEARTBLEED DUMP FOR EXTRANET.UPHS.UPENN.EDU 

Pag** 1 Po« reply 

FAKBEN 2014-0810 17 38 26 (1 



i passwords ema*s 



Index ■> Other Vendors - Heartbleed dump of tetstra.com(Blo Australian ISP) 




http://kS*a47j6«d3wilvN.onion/ In ting/31686 



lex - Other Vendors - New SbLVHN n.bMB HbAKIBLbbU HUMP KJK bx I KANb I.UfHS.UfbNN.blXJ 



Index - Other Vendors ■ Private list stolen wplaystation.sony.com 
FAKBEN 



MMMM 

A 



Registered 2014-07-23 
Posts 104 



2014-O9-11 21 01 09 

Description 

PUB_REL_ID, 

FIRST_MAME, 

LAST_NAME, 

EMAIL ADORESS, 

DEPARTMEriT_GROUP, 

GROUP_HEAD from Optaystahon.sony.com. 



Perfect for social engineering and ip grabbing Pnvate kst stolen and all are vakd 



.http://kSzq47j6wd3wdv)q.onion/ksting/364S6 

UStCdMd by FAKBEN (2014-09-11 21:01:46) 



FW8.RB._ID F1RST_NAME. LAST_f4AME. EMM._ADORESS DEPARTWHT.OROUP OROUPHEAD tro 



2014-09-16 15 19 09 



it you PM but you didn t reply rr 



r. ,v„- » I ,n t.'fl 



Pic.4 - Identified bad actor "FAKBEN", trading the same information 
as former Lizard Squad member "Abdilo" in the underground 



The structure of the data has "DEPARTMENTGROUP" and "GROUPHEAD", which might 
be related to internal corporate information from Sony network or one of their compromised 
applications, which may have housed employee data. 



Index » Other Vendors » 680 k email + pass stolen 

Pages 1 



FAKBEN 


2014-09-15 07:39:17 


Vendor 

A 

From: Honolulu 
Registered: 2014-07-23 
Posts: 104 
S PM 


hotmail.com 

verizon.net 

yahoo.com 

gmail.com 

msn.com 

aol.com 

etc.. etc.. 

680.000 email + pass 

http://i-imgur.com/ AIgPa6h.jpg 
http://k5zq47j6wd3wdvjq.onion/listing/39195 


Offline 







Pic.5 - The bad actor proposed lists with leaked employees data 
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In one of the articles related to the first DDoS attacks on big e-gaming services, there was a 
mention of the bad actor "GOPGangster" 6 , who released some details about the incident. Lizard 
Squad member "Abdilo", commented on the article using one of his old nicknames. 

"Hundreds of people started to post about compromised accounts. One thread, from a user 
named GOPGangster, detailed how it happened. On Aug. 20, Jason contacted him and 
threatened to take over his account. "I didn't believe him until my account was taken, " 
GOPGangster wrote. He knew he "was screwed, " he said, when his friend asked him why he left 
his ranked team. His account then wrote "I am God, Jason, " and transferred to Riot's Oceania 
server. The password to the account was long and included "lots of random things that would be 
very difficult to grab, " GOP Gangster recalled. "Worst of all my account had my credit card 
info saved. " 



"lolaristocrat" 



"Lolaristocrat" has referenced DPR (North Korea) in his Twitter account, clearly written in 
English. According to analysts, this bad actor created several Twitter accounts, some time ago. 




https://twitter.com/lolaristocrat (Twitter) http://lolaristocrat.com/ (WEB-site) 



Pic.6 - Twitter and personal WEB-site of "lolaristocrat" 

Three Twitter accounts have been identified with hashtag "#KimJongSec", followed by two 
Lizard Squad members - "Abdilo" and "algOd". 



http://www.daiivdot.com/esports/jason-shane-duffy4eague-of4egends-hacks/ 



Century Plaza Towers, 2029 Century Park East, Suite 400, Los Angeles, P: (424) 202 3604, info@intelcrawler.com (PGP) 9 



IntelCrawler 




Pic.7 - Identified Twitter accounts with hashtag "KimJongSec" 
and link to Lizard Squad member "lolaristocrat" 



Previously, the "KimJongSec" account had the name "K.J.U 7 . INFERNO", publishing DDoS 
attacks against South Korean WEB -sites, including the official site of the President. 



Oaks***) ■ 

0 :«H "r *mM 



I E 



- \ . .'if RS GOO DAMN 



ft 
ft 

ft 



W ©KEEMSTARi @MntRat bggesl mneoal) sener in he mtld sM OFFLINE Thousands of aamersanyy 

MplcoWTw»7AbC 

•1*9 



#KLJ.l . INFERNO 

gbnaiikiebs §jsm how did you like your website being nulled 0 
4 hours a 20 



#KJ.U. INFERNO 
4 hours ago 



MSTARx South Korea Presidents Government website, #OFFLINE 



0KJ.U. INFERNO 

gKEEMSTARx http: t oo tTQK8tMdf4 IS NULLED. 
5 hours ago 



Pic.8 - Old Twitter account, maintained by user "labeiied" 



7 KJ.U - "KimJongUnSec 5 
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The initial account belonged to Twitter with the username "labeiied" , which appears to be an 
alias to an account of the Hacktivists using nickname "labelled" ("anon wjb", "iadykiller). 



/ only ever DDoS when i'm high. @KimJongSec 



anon wjb 




anon wjb 

@lady killer 

locals most notorious | back up: 



9 Expect Us 

$ gamebattlescreditgenerator.com 



TWEETS 

151 



FOLLOWING 

50 



FOLLOWERS 

9,608 



FAVORITES 

700 



Tweets Tweets & replies Photos & videos 



Q3 anon wjb retweeted 
|H Anonymous @AnonPress 15m 

Yeh but at this point in time a Iadykiller it's more a message to you than to 
them. We're not going to go white knight Sony/Microsoft 

4% 1T1 39 *Ar 73 ••• View conversation 



0 anon wjb followed #4DaKidz. Jamie . Coding and 37 others 

Pic.9 - The identified account of "labelled" also contained posts about Sony 



http://webcache.googleusercontentxom/search?q=cache:CuzuGryNM- 



0J:https://www.toptweet.org/user/labeiied+&cd=6&hl=en&ct=clnk&gl=uk 
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Chronological Analysis 



August 24 th 2014 

Lizard Squad published the message, directly addressed to Sony 9 (11:03 AM): 



Lizard Squad 

i&LizardSquad 



O + ± Follow 



Today we planted the ISIS flag on - Sony's 
servers #ISIS #iihad 



* Favorite Pocket ••• More 




RETWEETS FAVORITES 

523 197 



11:03 AM - 24 Aug 2014 



Lizard Squad 



O + ± Follow 



. AmericanAir We have been receiving 
reports that j_smedley's plane #362 from 
DFW to SAN has explosives on-board, 
please look into this. 



Reply 1> Retweet * Favorite ••• More 
1:29 PM - 24 Aug 2014 



RETWEETS FAVORITES 

84 49 



Pic.10 - Lizard Squad has threatened a Sony executive with a fake post 
about explosives in the plane 



The same day, 1:29 PM, Lizard Squad tweeted at American Airlines saying that a flight carrying 
John Smedley, president of Sony Online Entertainment had "explosives on-board". 



August 26™ 2014 

Lizard Squad performed DDoS against Sony PSN and published several messages addressed to 
Sony. As a defense, one of the posts contained references to monetary gain. This post 
demonstrates concern regarding Sony's costs for defense: 

"Sony, yet another large company, but they aren't spending the waves of cash they obtain on 
their customers 1 PSN service. End the greed. " — Lizard Squad (@LizardSquad) August 24, 
2014 

HEY ®Sony PICK UP THE PHONE 

— Lizard Squad ( @LizardSquad) August 26, 2014 



http://abcnews.goxom/Technoto 
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YO @Sony cmi we get estimates on how many S you paid for @prolexic? 
— Lizard Squad (@LizardSquad) August 26 ? 2014 

Pic.ll - The majority of Lizard Squad posts are directly addressed to Sony 



November 21 th 2014 

During the initial stage, GOP sent a letter to Sony, asking for monetary compensation to prevent 
the leak: 



Notice to Sony Pictures Entertainment Inc. - Inbox. mbox 

^ \ 1 Notice to Sony Pictures Ente... * 



g-Write _| Chat J_ Address Book ^Tag - Q Search... <J§K> 



Frank David <rifrank1973 david@gmail.com>ft 4% Reply 4^ Reply S FbHowup " Forward ^ Junk 0 Delete 

Subject Notice to Sony Pictures Entertainment Inc. 11/21/14, 12:44 PM 

To michael_lynton@spe.sony.com ft, amy_pascal@spe sony.com ft, doug_bekjrad@spe.sony.com ft. steven_bersch@spe.sony.com ft, michael_deluca@spe sony.com ft Other Actions 

We've got great damage by Sony Pictures. 

The compensation for it, monetary compensation we want. 

Pay the damage, or Sony Pictures will be bombarded as a whole. 

You know us very well. We never wait long. 

You'd better behave wisely. 

From Cod'sApstls 



Pic.12 - Anonymous hackers from GOP asked for monetary compensation from Sony 



November 24 th 2014 



GOP provided Sony with a deadline, November 24 



th. 
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Pic.13 - GOP announced a deadline for Sony 



These posts did not contain any information about the film "The Interview". 

Previously, the attackers posted to at least three Twitter feeds, leaving the same message: "You, 
the criminals including [Sony Pictures CEO] Michael Lynton will surely go to hell. Nobody can 
help you." The image posted with the message shows a digitally edited image of Lynton' s head 
in a dark, hellish landscape. 



Pic.14 - GOP published a negative post in hacked Twitter accounts about a Sony executive 
The links on the leaked files were published in social networks and uploaded on Torrents. 
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November 26 th 2014 

The GOP leader published the following message: 

posted *D5* 10:23 PM Wednesday, November 26, 2914 Greenwich Mean Time (GMT) 
cut/ paste ****************************************************************** 



godsapstls . bos54^Sunseen . is 



RE: To The Guardians Of Peace 
From: 

Date: 2014-11-26 17:11 
I am the head of GOP. 



I appreciate you for calling us. 

The data will soon get there. 

You can find what we do on the following link. 

http s : / / www . fa ceboo k . com/ page s/The-Gua rdians-Of -Peace/ 6942452 39 6 97 994 
God bless us. 
God 1 s Apcs-les 



^^^^r^tc^^^^^c^:^^^ «c^:^4c^ tc^^4c^ «c^:s«^^ «c^«c^:^ «c^^4c^ «c^«c4c^ *c^=4c^44:^^^^4c^^^^^M=«£^^^^4c^^^ 



Pic.15 - Anonymous hackers sent an e-mail to Sony 



December 1 sl 2014 - "I am the boss of G.O.P." 

GOP published a message about stolen data: 

/ am the boss of G.O.P. A few days ago, we told you the fact that we had released some of Sony 
Pictures Bilms including Annie, Fury and Still Alice to the web. Those can be easily obtained 
through internet search. For this time, we are about to release Sony Pictures data to the web. 
The volume of the data is under 100 Terabytes. You can get some of the data at [Links Redacted] 
We will release all of the data at [XXX and [XXX] in a short time(the minimal time needed for 
handling tens ofTBs of data). The password of the document is "diespel23". Besides, we have 
much more interesting data than you know. If you Bind special interest, send an email in a 
method we have explained before. Thanks 
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December 3 2014 - "We have released the data of Sony 
Pictures here" 

GOP published the following message: 

Hi, We have released the data of Sony Pictures here http://pastebin.com/zUyAOEiX And you can 
Bind data as it adds in PASTEBIN using tags of GOP, SONY, SPE and etc. Today more 
interesting data will be presented for you. Thanks 

December 5 st 2014 - "I am the head of GOP" 

Two days later, another message from the GOP: 

/ am the head of GOP who made you worry. Removing Sony Pictures on earth is a very tiny work 
for our group which is a worldwide organization. And what we have done so far is only a small 
part of our further plan.It's your false if you if you think this crisis will be over after some time. 
All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony 
Pictures. Sony Pictures is responsible for whatever the result is. Sony Pictues clings to what is 
good to nobody from the beginning. It's silly to expect in Sony Pictures to take off us. Sony 
Pictures makes only useless efforts. One beside you can be our member. Many things beyond 
imagination will happen at many places of the world. Our agents find themselves act in 
necessary places. Please sign your name to object the false of the company at the email address 
below if you don 't want to suffer damage. If you don 't, not only you but your family will be in 
danger. Nobody can prevent us, but the only way is to follow our demand. If you want to prevent 
us, make your company behave wisely. 



December 6™ 2014 - "Gift of GOP for 2nd day" 

GOP publish the following message: 

You can download a part of Sony Pictures internal data the volume of which is tens of Terabytes 
on the following addresses. These are all confidential and include data related to sales plan of 
SPE. http://torrentproject.se/c8f4990114c6dc96afl8f68f0c670a6e 
magnet: ?xt=um:btih:c8f4990114c6dc96afl8f58f0c670a6e 

cker.perm.ertelecom.ru/announce&tr-udp://open.demonii.com:1337/announce&tr-udp:/ 
r. copper surf er.tk:6969/announce Password: diespel23 
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December 7 tn 2014 - "Gift of GOP for 3rd day Financial data of 
Sony Pictures" 

GOP publishes the following message: 

Anyone who loves peace can be our member. Please tell your mind at the email address below if 
you share our intention. Peace comes when you and I share one intention! 13 jack.nelson- 
63vrbul@yopmail.com You can download a part of Sony Pictures internal data the volume of 
which is tens of Terabytes on the following addresses. These include many pieces of confidential 
data. The data to be released next week will excite you more. Password: diespel23 

December 8 th 2014 - "Gift of GOP for 4th day" 

GOP publishes a message targeting Sony executives: 



Gift of GOP for 4th day: Their Privacy 

__ Their Privacy 
By GO? 



<> Code 

o- Revisions 



We are the GOP working all over the world. 

We know nothing about the threatening email received by Sony staffers, but you should wisely judge by yourself wh» 



• -https:/, g. 



» to SONY 

We have already given our clear demand to the management team of SONY, however, they have refused to accef 
It seems that you think everything will be well, if you find out the attacker, while no reacting to our d( 
We are sending you our warning again. 
Do carry out our demand if you want to escape us. 

And, Stop immediately showing the movie of terrorism which can break the regional peace and cause the War 
You, SONY & FBI, cannot find us. 
We are perfect as »uch. 

The destiny of SONY is totally up to the wise reaction & measure of SONY. 



HTTPS 

https://gist.github.i 



<£> Download Gist 



Their Privacy 

Any Pascal(Co-Chairman SPE & Chairman MPG), Stephen Kosko( President, SPT) 



24 Password: diespel23 

25 

1. Torrent 
27 http://rghost.net/59l88959 
?h http://filesflash.com/x8wxmrfc 
29 http : //turbobit . net/2i3ztqlayy9d . html 

http : //f ilenuke . co«/f /08dEyL0 

http://www.uploadable.ch/file/nbPvVgsHGgyG/spe_e4.zip 
http : //188upload . com/ j So jmcbf 16sk 

33 

'■• 2. Turtobit 

35 http : //turbobit . net/up88r jsgg2u7 . html 

36 http : //turbobit . net/cnl9f c j z8dyr . html 

37 http : //turbobit . net/ jc5roomogic8u . html 

38 http : //turbobit . net/561ibe jnjd68 . html 

39 

3. Filenuke 

41 http://filenuke.co»/f/6xYZ3a8 

42 http ://f ilenuke. cc*/f/0nRnK10 
http://f ilenuke. coa/f /8qgmy53 

44 http://filenuke.co»/f/3kGPgy3 
4S 

4. Previous data 

http : //turbobit ■ net/9n3rvsuik7 38 . html 



Pic.16 - GOP announced that Sony refused to accept their "rules of the game" 
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December 10 th 2014 - "Gift of Sony for 5th day: My Life At The 
Company-Part 1" 

GOP publishes the following message: 

To SPE employees. SPE employees! Don 't believe what the executives of SPE says. They say as 
if the FBI could resolve everything. But the FBI cannot find us because we know everything 
about what's going on inside the FBI. We still have huge amount of sensitive information to be 
released including your personal details and mailboxes. If continued wrongdoings of the 
executives of SPE drive us to make an unwanted decision, only SPE should be blamed. Now is 
the time for you to choose what to do. We have already given much time for you. 

December 1 1 th 2014 - "Gift of Sony for 5th day: My Life At The 
Company-Part 2" 

GOP publishes the following message: 
by GOP 

Important Message to SPE executives 
I've sent you a message. Confirm your mailboxes. 

The message is addressed from one person ("I've sent you"). After some time, another message 
was published: 

We are preparing for you a Christmas gift. The gift will be larger quantities of data. And it will 
be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into 
the worst state. Please send an email titled by "Merry Christmas " at the addresses below to tell 
us what you want in our Christmas gift. 

December 14 th 2014 - "The sooner SPE accept our demands, the 
better" 

GOP released a new message to Sony, promising to bankrupt the company: 

The sooner SPE accept our demands, the better, of course. The farther time goes by, the worse 
state SPE will be put into and we will have Sony go bankrupt in the end. Message to SPE 
Staffers. We have a plan to release emails and privacy of the Sony Pictures employees. If you 
don't want your privacy to be released [sic], tell us your name and business title to take off your 
data. 
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After the new leaked files were uploaded, former Lizard Squad member "Abdilo" posted: 



"Sony could of avoided this if they would pay up the the extortion 
letter. Take this as a lesson companies, be prepared to loose everything. " 10 

(December 17 th , "Abdilo") 



December 18 th 2014 ■ "Dear Sony from GOP" 



On December 18 th , a published post on Pastebin from GOP 11 , mentioning, "September 11 may 
happen again if you don 't comply with the rules". The previous day, a Lizard Squad member 
actively discussed the 9/11 tragic incident in a satirical manner: 




Dear Sony from GOP 

BV: A GUEST ON DEC 3)H | SYNTAX; NONE SIZE 0.38KB | VIEWS: 9.5« EWES NEVEfl 
OOWNlOAO i *AW EV8EO 9IKJST A8JSI PftlNT 



This fa 



MANDRILL. TRUSTED FOR EMAIL 
INFRASTRUCTURE BY MORE THAN iOO.000 
CUSTOMERS 



Vou have iuHtrea throuf trough threats. 

Mr lift the ban. 

The Interview nay release now. 

tut be earful. 

ieptewer 11 «a> napoen again i* you don't cewply Kith the rules. 



|H *| | Teridax *| | @AlphaQuintesson Dec 17 

so they're not releasing the interview at all? great 



|H *| | Teridax *|| @AlphaQuintesson Dec 17 

take it off baby bend over let me see it 




This is Ouaroians C* Peate. 



View more photos and videos 



Pic.17 - Lizard Squad member and GOP mentioned the 9/1 1 incident in their postings 



10 https://twitter.com/abdilo /status/545456086895960065 

11 http://pastebin.com/iri4YB2TJd 
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December 19™ 2014 - "Message to CEO of Sony - Michael Lynton" 

On December 19 th there was a published post on Pastebin - http://pastebin.com/xEmKN3ui . The 
bad actors signed the message as "Anonymous" mentioning, "We all know the hacks didn 't come 
from North Korea"'. 



http pastebin.com ■.EmkNBui 



P - C ,•; MESSAGE TO CEO OF SON... 



MESSAGE TO CEO OF SONY - MICHAEL LYNTON 

BY: A GUEST ON DEC 19TH, 2014 | SYNTAX: NONE | SIZE: 140 KB | VIEWS: 3,246 | EXPIRES: IN 28 DAYS 
DOWNLOAD | RAW | EMBED | REPORT ABUSE | PRINT 



WAPT: How your website performs 
under various load conditions 

Load, Stress and Performance Testing for Web Sites, Applications and Servers 



m 11 

I Dear Mr. Michael Lynton (CEO of Sony Entertainment), 



We shall first-off begin this message with an expression of sympathy as you have failed to release "The Interview" as you believe that hackers 
shall carry out a new operation to cause malicious damage within your organisation. 



BW fwe think everybody knows about this already) . 



What we would like to say is that by not releasing "The Interview", you are denying us the privilege of the Freedom Of Information Act (1966). 



Unfortunately, due to your organisation panicking at first sight of trouble, we find this very cowardly of both yourself and your organisation 
(Sony Entertainment). 

10.1 

We know that Mr. Paulo Coelho has offered Sony Entertainment a sum of $100,000 for the rights of the movie; where he shall then be able to 
upload the movie onto BitTorrent. 

Obviously, you shall not be responding to his generous offer - so please respond to ours with a public conference, we wish to offer you a 
deal. . . 

14.1 

Release "The Interview" as planned, or we shall carry out as many hacks as we are capable of to both Sony Entertainment, and yourself. 

16.1 

Obviously, this document was only created by a group of 25 - 30 Anons, but there are more of us on the internet than you can possibly imagine. 

18.1 
19.1 

We are Anonymous, 
We are Legion, 
22. We do not forgive, 
We do not forget, 
Expect us. 



Pic.18 - One of the first messages to Sony from hackers with Anonymous signature 



After this post, new independent Hacktivists appeared, with some participating and promoting 
"Anonymous" and starting #OpSony campaign. 
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Q CWN follows 

Anon Pyro AnonPyrO Dec 27 

Many thanks to @AnonSecurity_ and @Global_hackers for working on 
^OpSony with me 



Q YouTube 



ANONYMOUS #OpSony LAUNCH VIDEO 



11 



9 



Q Charles Ibrahim and 6 others follow 
#GHC_sec Global_hackers Dec 27 
Open fire: 

Sony pictures need to be downed 
IP: 72.52.12.83 (apache server) 
Port(s): 80 / 443 open 

#ANON FAMILY: fire your lazers for =OpSony 



CWN Cyber_War_News Dec 27 

uh oh cwn. link/1 vBalje is being hit again via =opsony .. amazingly not one bit of 
lag. 



#OpSony 



Q Favourited 32 times 

An on Sec @AnonSecurity_ Dec 27 
' I For the final time I will say it again. We are NOT firing at PSN. We are firing at 
IB Sony Pictures. Op Sony 



#OpSony | 



30 



32 



Anon Sec g)AnonSecurity_ Dec 2 
FIRE 

TARGET: sonypictures.com 
IP: 72.52.12.83 (apache server) 
Port(s): 80 / 443 open 
#Anonymous -OpSony 



O & vol tLTD 



ANONYMOUS #OpSony 

WE ARE ANONYMOUS. WE DON'T FORGIVE. WE DON'T FORGET. SONY. 
EXPECT US. Reason for attacks: Sony Pictures lied to the public about being 
'hacked' by North Kore... 



Pic.19 - #OpSony will be targeted on DDoS against Sony Pictures 



On the same day, former member of "Lizard Squad" mentions "GOP" and current investigation 
in satirical form: 




abdilo O + i Follow 

@abdilo_ 

Ok so apparently the fbi considers doxing 
and d dosing worse then murder, espionage, 
BS15 . fraud, assault... oh wait 

FAVOURITES p 

2 feltfEf" 

12:19 ant - 19 Dec 2014 

Pic.20 - Former Lizard Squad member "Abdilo" mentioned GOP 
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December 20 tn 2014 - "Christmas gift to FBI" 

After the new FBI update on the Sony hack 12 , two published posts by GOP denied any link with 
North Korea: 





Pic.21 - GOP will deny the link with North Korea in "Christmas gift" post 



December 22 tn 2014 ■ "Working together with GOP on a 
Christmas project" 

Lizard Squad published a post that they work with GOP 13 on a Christmas project: 



12 http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation 

13 https://twitter.com/LizardUnit/status/546752455661584385 
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v 



TWEETS FOLLOWING FOLLOWERS FAVOURITES 

19 9 9,686 12 



Lizard Squad 

@LizardUnit 

Next generation Grinch Cyber terrorists 
labelled as a matter of national security 
Once upon a time 5) Lizard Patrol and 
@LizardSquad. 

9 XMPP/Email: lizards@riseup.net 
$ chat.lizardpatrol.com 



^ Tweet to Lizard Squad 



Tweets Tweets & replies 

J Lizard Squad @LizardUnit 2 hrs 

Jabber/Email: lizards@riseup.net 



I Lizard Squad iLizardUnit 3 hrs 



orkinq toqether with #GoP on a Christmas protect 



| Lizard Squad ■ LizardUnit Dec 19 



Pic.22 - Lizard Squad announced work with GOP 

An interesting fact is that the avatar of Lizard Squad is used by other hacking groups and their 
leaders, such as "JoshTheGod". This bad actor named himself as "Leader of UGNazi & 
LulzSec", groups that compromised Sony in 2011. 



g Twit ter, Inc. [US] | https://twitter.com/JoshTheGod 



^ Home 4t Notifications ^1 Messages ^£ Discover 




Josh 

©JoshTheGod 



Mother@gmail.com 
O UGNazi 

£ http //UGNazi.com 
0 Joined December 201 1 



9^ Tweet to Josh 



^ 8 Followers you know 



TWEETS FOLLOWING FOLLOWERS FAVOURITES 

1.340 53 30. 1K 83 



Tweets Tweets & replies Photos & videos 



I Josh @JoshTheGod 1 hr 
HAPPY NEW YEAR FUCKTHEJEWS 



| Josh ©JoshTheGod Dec 28 

im god 



g Josh ©JoshTheGod Dec 26 

We are all lizards VariousLuIz 



Pic.23 - Leader of UGNazi & LulzSec with the same avatar as Lizard Squad 

Later, the Lizard Squad member, "Abdilo" explained that he left the group in October 2014, but 
retained relations with team members. Lizard Squad mentions GOP in some of their posts: 



https://twitter.com/LizardMafia/status/547570060160954369 
"greets from DPRK ;)= = = " 
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https://twitter.com/LizardMafia/status/547579229 1 56954 1 1 2 
"We should do it too every channel. Greets to GoP & DPRK" 




Lizard Squad | it Like P age 

24 December2014 at 06:27 - « 

We should do it too every channel. Greets to GoP & DPRK 
Like - Comment - Share 

Pic.24 - Lizard Squad will greet GOP and DPRK (North Korea) 

During active discussions of a possible film leak "The Interview", The Pirate Bay was defaced 
with picture of North Korea leader. "Abdilo" mentioned this incident with an ambiguous phrase: 
"GOP you trolls". 



THN 



The Hacker News @TheHack ere News 3h 

The Pirate Bay' HACKED? N.Korea 1 Kim Jong Un Cartoon Appears on 
Homepage. thn.li/7ky5 | #thepiratebay pic.twitter.com/Fsc28FKohHB 

CI 70 17 



abdilo 

©abdilo 



+± Follow 



>TheHackersNews @hue 
AHHAHAHAHAHAHHAAHAHHA GOP you 
trolls 



FAVOURITE 

1 



6:38 am -27 Dec 2014 



Pic.25 - "GOP you trolls" comment by Abdilo 
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December 29 2014 - "Well, we do know some people from the 
GOP" 

In an interview with the Washington Post 14 , Lizard Squad explained, that they have links with 
"GOP" and provided the group with credentials for Sony hack: 

Q: Some reports suggest you've got links to Guardians of Peace, and possibly to the Islamic 
State. Can you talk about that for a minute? 

[Another long pause, about five minutes.] 

A: Well, we do know some people from the GOP. We do not have any links to the IS. 

Q: But you didn't work with Guardians of Peace to breach Sony's network and gain access 
to the e-mails, etc.? In other words, you know some people but weren't involved in the Sony 
hack surrounding 'The Interview'? 

[A seven-minute pause.] 

A: Well, we didn't play a large part in that. 

Q: What part did you play? 

A: We handed over some Sony employee logins to them. For the initial hack. 



December 30 2014 - "Looking at this south korean powerplant" 

"Abdilo" has mentioned South Korean nuclear energy company KHNP, which was referenced in 
a Reuters article about a hacking attempt and leak of documents. 

Computer systems at South Korea 's nuclear plant operator have been hacked, the company said 
on Monday, sharply raising concerns about safeguards around nuclear facilities in a country 
that remains technically at war with North Korea (Reuters, December 22 nd 2014) 



http://www.washingtonpostxom/blo^ 
break-in-to-sonys-network/ 
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| abdilo ©abdilo Dec 31 
So Argentina gives me access to their airforce and south korea lets me kill 
all of their citizens ... thanks asp 



| abdilo ©abdilo Dec 30 
cms.khnp.co.kr/readme.html :| 



| abdilo ©abdilo Dec 30 



/NAS_Vol/www/khnp/wp-content/themes 

/khnp/index.php 

roflmao 



| abdilo ©abdilo Dec 30 
and they have wordpress.. 



| abdilo ©abdilo Dec 30 
Looking at this south korean powerplant that was rekt... dear god the jsp 



Pic.26 - Former Lizard Squad member "Abdilo" and vulnerabilities in KHNP 




abdilo 

abdilo 



O + i Follow 



Nuclear systems are fun to mess with, what 
happens when i turn the fans off 



FAVOURITE 

1 Jt 

3:00 am - 5 Dec 2014 



Pic.27 - The bad actor started his harmful activities in early December 



December 31 2014 - "Suicide Hacking in Australia" 

The bad actor "Abdilo" published a very specific post on Pastebin about his past cyber attacks 
(URL: http://pastebin.com/DvSf6dAK) . 

He enumerated some of his hacked targets in the past, and explained that he left Lizard Squad in 
October, but retained relations with its members. 

Now I am going to attack south korea... one uni now has no records, no mssql db, none of its 
asp/aspx and all external hdds have been formatted. (31 st December 2014, "Abdilo") 

Century Plaza Towers, 2029 Century Park East, Suite 400, Los Angeles, P: (424) 202 3604, info@intelcrawler.com (PGP) 26 



IntelCrawler™ 



pastebin.com/DvSf6dAK 




t to check their scada system) 



iupui.edu(meh) 
cwru.edu(meh) 
umbc.edu (meh) 

ansto.gov.au(They fixed their sqli but might k 
acma.gov. au(Cyber safety my ass) 
police. vie. gov. au(Shoutout to Thomas) 
aiatsis.gov.au(No idea why) 
apse. gov. au(meh I was bored) 

liquor. reports. rgl.wa.gov.au (Not very responsible of you LOL) 
vjentworth.nsw.gov.au (I have had you sqlied for 4 years...) 
psr.gov.au(Heartbleed and its december... tisk tisk tisk) 
fsu.edu (LOL U DUMB AS FUCK) 

suncorp.com.au(You were WAY to easy to get into, you might want to reset all of your user's passwords though) 
princeston.edu(LOL easy) 



I am not going to list the .mil sites, mainly because I am still stealing all of their shit... dumping for 4 months now and yet they don't fix 
it <3. 

I cannot remember the majority of edu/gov i have sqlied, i didnt keep a good enough record and one of my hdds is now... melted and destoryed. 



J lizardsquad.ru and lizardsque 



Left lizardsquad back in October but still talk with the members. 



178. Lizardstresser.su was created by another lizardsquad member via nic.ru. 



Pic.28 - Published list of hacked government resources by "Abdilo" 



In October 2014, "Abdilo" started advertising his own services in the underground, related to the 
selling of vulnerabilities on government WEB -sites and private exploits. 



Exploit.IN Forum OopMa noMCKa > IIohck 



My rwriK! is abdilo, 

I'm a seller of gov/edu sqlis and private oddys(ll'Bodrd) 
Add me on )al)tx-i if you imhhI .my help (Wvotlnq/rooUnq, or 
Jabber: (Alternative Jabber: 



Coo6meHnfi: 
PerwcrpauMa 



OrnpafMieHo: 23.11.2014, 13:50 

A bunch of gov sqlis and gov.uk sqlis. 
Insurance companies. 

Prices are very negotiable. 

(2 in stock)Insurance companies: S1000 each (Perfect for spammers) 
(2 in stock)Nuclear Research: S500 each 
(29 in stock)Gov sqlis: S100 each 
(1 in stock)Airports: S500 each 
(1 in stock)Airliners: S1000 each 

OopyM: r/locTvnbil - FTP, shell'bi, pyrbi, sql-ini, SR... • flpocMOTp coo6meHk 



Pic.29 - "Abdilo" began advertising his own hacking services of .gov/.edu 

resources in the underground 
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pastebi n.com/DvSf6dAK 



abdilo 



DrnpaaneHo: 26.10.2014, 09:57 



M«r« »r« so** of the Sites i MSSed wit": 

cdc.govlUnat Hind of db do you oven use? still novo * sqli in your Out cannot figure it out) 
lonfbe«cn.gov(I HAS INFOVWTI0N ABOUT COSMO MIN6 A FED... lOOOl Just fucking kit* ya) 
ny.gov (Shout out to teridax shaae mere was no proof of 9/11 attacks XD) 
HetroState.eoud broke into you .-a.se i like 22 juiap street, thanks for the 22k «in$) 

liv.»c.uk(Top school lay ass) 

itanford.edu (sow guy found a sgli in you then i found a better one... fuck you) 
nervard.edu(Nes * challenge but they are OuatO 

ncsu.edutthanks for the «k solis digitalgenster.coia loved it LOU 

eri:one.eOu(I solitd you * tiiees »Mle obnoxious called you up on the phone to troll you and 1 
duaplnf your database 4 tines then asking for booty plx else ue release it) 



Virginia. gov(hi Ryan f) 
louisiarjj.»ov<vou nave xp_< 

catholic. edu.au<«uck Catho] 



goods nepnerd . edu . au (M 



Mhrt I has all ur records) 

are all christian schools vuln to 



stpaulbe.se. edu. au< I have nothing funny % 

st josephsbrackenridge . qld .edu . au ( Seriously anc 

uky.edu(you are yuky) 



6a MT 

■ 

rpynria : no/ibsoB-aTenb 

- i- 22 
Per«CTpauwn: 31.05.2014 
rionbBDBaTevib MS: 55 603 



Gov sites(sluQ each): 

virginia.gov 
louisiana.gov 

Edu sites(S50 each): 

gatech.edu 

uky.edu 

vmi.edu 

miami.edu 

(topyr-i: ITlQCTynbil - FTP, shell'bi, pyrbi, 



■ieai.eoud <aas ■ 



u fixed it don't 




Pic.30 - Published samples of compromised government resources 
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Besides government segment, he has also published for sale information about vulnerabilities in 
regard of leading insurance companies of Australia - SunCorp and GIO Insurance Australia. 

OTnpaB/ieHo: 17.11.2014, 11:26 

Selling sqli in gio.com.au 
Add on jabber for more info 

Company Info: 

GIO is an Australian home and motor insurance provider. The company, which is owned by the Suncorp Group, offers insurance products, such as car, home and contents, CTP, boat, caravan, travel, business, public liability and workers 
compensation and life, primarily in the state of New South Wales and the Australian Capital Territory. 

Jabber: abdilo@darkode.com 

OopyM: rflQCTvribil - FTP, shell'bi. pyTbi, sgl-ini, 511... • flpocHOTp coo6iueHns: *513439 • OTBetoB: 1 • ftpocMOTpoe: 76 



OrnpaB/ieHo: 17.11.2014, 11:22 

Selling sqli in suncorp.com.au 

Add on jabber for more info(price is negotiable) 

Company Info: 

Suncorp Group includes leading general insurance, banking, life insurance and superannuation brands in Australia and New Zealand. The Group has 15,000 employees and relationships with nine million customers. We are a Top 20 ASX-listed 
company with $96 billion in assets 



Jabber: abdilo@darkode.com 



According to gathered information, he has compromised more than 60 government and 
educational WEB -resources, the majority of which were published in his posts 15 . 

/ am not going to list the .mil sites, mainly because I am still stealing all of their shit... dumping 
for 4 months now and yet they don't fix it <3. 1 cannot remember the majority ofedu/gov i have 
sqlied, i didnt keep a good enough record and one of my hdds is now... melted and de story ed. 

(December 31th, "Abdilo") 



During long term monitoring of the Lizard Squad IRC channel, several messages were identified 
referencing the hacking of military and government resources. This verifies that the objects of 
interests of the bad actors are not limited to gaming services only. 




Pic.31 - Analyzed communications from Lizard Squad channel and 
compromised military WEB -resources 



http://pastebin.com/DvSf6dAK 
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In his Twitter account, he mentions, that his future hacking activities will be targeted on South 
Korea - https://twitter.com/abdilo /status/550466414897684483 



abdilo 



Follow 



Hmm, usa, aus, uk, arge ntina, iran, is rael, 
etc... now lets mess with f 



south korea 



11.26 PM-27 Dec 2014 



abdilo 

abdilo 



►1 Follow 



So all of 201 4 was dedicated to sqling 
usa/aus's gov/mil/nuclear/edu... 2015 will 
be dedicated to sqling all of south korea 



FAVORITES 

3 



5 39 PM-31 Dec 2014 



[RICH HOMIE] Elijah RHEIijah Dec 31 
j abdilo_ have a jabber or something lol 



Pic.32 - "Abdilo" will target his illegal activities against South Korea for reasons unknown 



Provided facts may point at specifics surrounding the personal motivation of "Abdilo" and 
undisclosed customers of his services, who could use the results of his work for harmful 
activities. 
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January 3 2015 - "GOP: Final message to Sony and world" 



There was published anonymous post with the same style of text, signed by "GOP" 16 . 



> GOP: Final message to Sony and world 

Btt A GUEST ON JAN 3RD, 2015 | SYNTAX; NONE | SIZE: 0.54 KB | VIEWS: 165 | EXPIRES: NEVER 
DOWNLOAD | RAW | EMBED | REPORT ABUSE | PRINT 

WE CONNECT DIGITAL INFLUENCERS AND 
QUALITY BRANDS THROUGH ONE. SINGLE. 
HIGH-IMPACT AD PER PAGE. 



* 0 



BBI 



1. As the release of The Interview has came already in some theaters... 
We will say we maybe not North Korea after all this. 

4. 

5. Maybe we are working Americans and maybe we are not, but it is not 100 percent that we are who you think we are, we have fooled you again. 

6. 

7. We said you can release The Interview and you have done so, you are and forever will be on our leash like our dog, Sony. 

8. 
9. 

ie. 

11. Goodbye and be earful for next threat. Steve Carell, you will make Pyongyang film, New Regency we have nothing against you but we will be 
watching. 

12. 
13. 

#50 3 



Pic.33 - One of the latest messages, signed by GOP, after Sony hack 
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Appendix A. - Lizard Squad / GOP Characteristics 



# 


Lizard Squad 


GOP 


1 


Lizard Squad has a leader, and group of 

1 1 1 L \_ 1 I'^l 1 V ' 1 111111 14 l/VULl tlllclVJVo . 


GOP has a leader, calling himself "boss" or 

"hpaH" caav(\ i n ati n o nthpr mpmbpr^ 

1 l^Clvl , villlClLlllcl WLllC-l lllC'lllL'C'l O . 


2 


Lizard Squad members are from the UK, 

Australia ^wpHpn ^nrl T-nnl^nH h^ivincr 

l\. LI o 11 til 1 d, w_J WV^U-V^ll ClllVJ. 1 J 1 1 1 Cl 1 1 LI . llClVlllci 

fluent English. 


GOP uses pretty good English in each of their 

mp^pi ctpq to Slnnv it Hnp^n't Vipivp anv mpotrppt 
iii^ooci^^o lu juii y , it vj-w^oii i ncivv^ ciiiy inv^wii^v^i 

translation and written in quite fluent form. 


3 


Lizard Squad member "Abdilo" has 
registered several domains in .RU, 

inrliiHin cr nffipial WF"l-£-<sitp of thp crrniin 

lllV^l LI V_l 1 1 1 £^ Ul 1 IV^lCll TV J—/ U k3lLV^ \J 1 LI 1^ c^l W LI L/ • 


GOP used .RU server, besides others, where 
they have uploaded leaked files. Potentially, 

thi<s <sPrvpr wa<s rnmrvrnmi<sPfl in thp r>a<st 

Llllo JVl VL1 W CIO L/L/111L/1 L/lllloV^VJ- 111 LllLv L/CloL. 




Lizard Squad member "Abdilo" left 

T \75\vc\ Sniiarl in Opfnhpr 9014 


GOP released information about Sony in late 
NTnvpmhpr 901 4 


4 


Lizard Squad has threatened the victims 
with "wonderful present to Christmas". 
They also announced "Working together 
with #GoP on a Christmas project". 


GOP has threatened Sony with "Christmas 
gift" too, which shows a correlation in timeline 
development and approach in dialogue with 
victims. 


5 


Lizard Squad member "Abdilo" has a 
GitHub account. 


GOP has published several messages in 
GitHub, containing specifics. 


6 


Lizard Squad messages directly 
addressed to Sony several times, 
mentioning some commercial topics: 

Sony, yet another large company, but 
they aren 't spending the waves of cash 
they obtain on their customers ' PSN 
server. End the greed. 

YO @Sony can we get estimates on how 

wiflviv js vnij Tin id fnr nrni pxir ? 


GOP messages addressed directly to Sony 
every time, including money compensation in 
order to prevent potential damage: 

\A/ \ )sj crnt crvo nt rl ntvi n cro hi 7 ^Vi vt i ) P i r* ti 1 v*o c 
Vr & Vt, gUL kZLII UUftlLlgts Uy OUily l LCiUT to. 

The compensation for it, monetary 
compensation we want. 


7 


December 17 th , Lizard Squad member 
"teridax" actively discussed 9/11 tragic 
incident in a satirical manner. 


December 18 th , GOP has published a post with 
phrase "September 11 may happen again if you 
don 't comply with the rules". 


8 


Lizard Squad has words about North 


GOP has mentioned the North Korean 
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Korea at the end of their official song: 
"North Korea... is the best Korea" 11 


President in several of their posts. 

"No death scene of Kim Jong Un being too 
happy". 


9 


Sony was hacked by LulzSec in 201 1. 
Lizard Squad affiliates have some 
members from other groups, such as 
"UGNazi" and "ex-LulzSec", using the 
same symbolic and style of posts. After 
the arrest of LulzSec members, the group 
was restructured. 


So called "GOP" who compromised Sony in 
2014, previously had no hacking activities or 
presence in the WEB. 


10 


Immediately after the Sony hack, Lizard 
Squad repeated DDoS attack on Sony 
PSN. 


There is a correlation in harmful activities from 
Lizard Squad and GOP by time. 


11 


In an interview with the Washington 
Post, Lizard Squad explained, that they 
have links with "GOP" and provided 
them with credentials for the Sony hack. 

Well, we do know some people from the 
gop. We handed over some Sony employee 
logins to them. For the initial hack. 


There is a correlation in harmful activities from 
Lizard Squad and GOP by means of attack, and 
by the fact, that one of Lizard Squad members 
"Abdilo" left the group in October 2014, 
before the Sony hack, which may show him as 
one of the potential bad actors, responsible for 
the new group GOP and past attacks. 


12 


In one of the articles, relating to the first 
DDoS attacks on big e-gaming services, 
there was a mentioned actor 
"GOPGangster". Lizard Squad member 
"Abdilo", using one of his old 
nicknames, commented the article. 


There is a correlation between GOP as a group 
name, and links between Lizard Squad former 
member "Abdilo" and "GOPGangster". 



. Table 2 - Lizard Squad / GOP Characteristics Analysis 
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Appendix B. - Social Graph 
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Conclusion 



Our analysis shows that young gamers were dissatisfied for a variety of reasons with the 
technology companies that provided them participating networks. 

Attacking companies for fun, for a challenge, for a disliked policy, is really the ultimate online 
game. These identified bad actors seemed to have penetrated the networks over a substantial time 
period, giving them access to all types of intellectual property, corporate assets, and employee 
data. As discovered, these access points were offered up for sale or trade in the underground. 

These groups are not solely restricted to the gaming sector but are clearly demonstrating their 
pursuit in other objects of interest. 

The recent high profile targeted cyber attacks may have involved "for hire" hacker groups or 
independent Hacktivists. 
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Disclaimer 



The research, findings, and analysis in this report are based on a combination of open and 
operative sources. To protect some victims and open cases, the non-disclosure of operative 
sources may leave some gaps in the linkage of some parts of the analysis. This report is solely 
the opinion of IntelCrawler LLC. 

Trademarks 

IntelCrawler, the IntelCrawler logo, and IntelCrawler's products and services are trademarks or 
registered trademarks of IntelCrawler LLC. Other trademarks and trade names may be used in 
this document to refer to either the entities claiming the marks and/or the names of their 
products. IntelCrawler disclaims proprietary interest in the marks and names of others. 



© Copyright 2015 IntelCrawler LLC. All rights reserved. 
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